untrusted comment: verify with openbsd-77-base.pub
RWSbCCUoGpcxVcc4VawmEKKLFgJjz3klAWrP8XE1K4OeJT0EZx+mPc2Dba70oDZtt+/KgGnEeOlB1qntQuudR2TrOGz0ZBSS0wc=

OpenBSD 7.7 errata 038, April 21, 2026:

libXpm out-of-bounds read.  CVE-2026-4367

Apply by doing:
    signify -Vep /etc/signify/openbsd-77-base.pub -x 038_libxpm.patch.sig \
        -m - | (cd /usr/xenocara && patch -p0)

And then rebuild and install libXpm:
    cd /usr/xenocara/lib/libXpm
    make -f Makefile.bsd-wrapper obj
    make -f Makefile.bsd-wrapper build

Index: lib/libXpm/src/data.c
===================================================================
RCS file: /cvs/xenocara/lib/libXpm/src/data.c,v
diff -u -p -r1.6 data.c
--- lib/libXpm/src/data.c	3 Oct 2023 15:55:58 -0000	1.6
+++ lib/libXpm/src/data.c	13 Apr 2026 11:07:53 -0000
@@ -210,6 +210,9 @@ xpmNextString(xpmData *data)
 	    while ((c = *data->cptr++) && c != data->Bos && c != '\0')
 		if (data->Bcmt && c == data->Bcmt[0])
 		    ParseComment(data);
+
+	    if (c == '\0')
+		return XpmFileInvalid;
 	} else if (data->Bcmt) {	/* XPM2 natural */
 	    while (((c = *data->cptr++) == data->Bcmt[0]) && c != '\0')
 		ParseComment(data);
Index: lib/libXpm/src/parse.c
===================================================================
RCS file: /cvs/xenocara/lib/libXpm/src/parse.c,v
diff -u -p -r1.9 parse.c
--- lib/libXpm/src/parse.c	7 May 2023 16:07:43 -0000	1.9
+++ lib/libXpm/src/parse.c	13 Apr 2026 11:07:54 -0000
@@ -221,7 +221,9 @@ xpmParseColors(
 
     if (!data->format) {		/* XPM 2 or 3 */
 	for (a = 0, color = colorTable; a < ncolors; a++, color++) {
-	    xpmNextString(data);	/* skip the line */
+	    ErrorStatus = xpmNextString(data);         /* skip the line */
+	    if (ErrorStatus != XpmSuccess)
+		goto error;
 
 	    /*
 	     * read pixel value